Is your printer part of a flaming botnet?
We’ve had some reports that people are receiving printed documents with the following content:
stackoverflowin has returned to his glory,
your printer is part of a flaming botnet,
the hacker god has returned form the dead.
—> YOUR PRINTER HAS BEEN OWNED <—
((struct Elf32_Ehdr*) ((0xFF & memes)base)->e_machine)
——-
Email: stackoverflowing@tuta.io
Twitter: https://twitter.com/lmaostack
——-
GREETINGS FROM BREAKTHEINTERNET (BTI) WITH LOVE
If this has happened to you it’s likely you’ve forwarded port 9100 and your printer is available for others to access on the internet.
It’s affecting all major brands of printers such as:
- HP
- Samsung
- Epson
- Canon
- Brother
- Afico
- Konica Minolta
- Oki
Our suggestion is to close this port ASAP on your router and factory reset your printer for good measure! This has happened because someone has access to the printer and are able to send print commands using information in the HP PJL printer manual to exploit printers.
I’ve been hacked.. How did they get in?
The security between you and the public internet is controlled by your router firewall. This box protects your devices at home from being accessed from someone outside your network without your permission. Sometimes these ports are opened for gaming, remote working and even remote printing (this might be you). Printers are generally the most insecure device in your home. Once someone has access they can print whatever they like without the need of a password. It’s likely you or someone in IT has opened this port for remote printing or in extreme cases your router has a known exploit and has been compromised leaving the door open for attacks like this!
What next.. Close port 9100, 361, 515, 8080, 80 and 443 if open
- Visit your router/firewall webpage normally http://192.168.1.1 or http://192.168.1.254 *if you can’t find this open command prompt and type ifconfig then enter. Use the default gateway address to get into the control panel.
- Login to the router
- Find an area of the router called one of the following: NAT / Network Address Translation / Open ports / Port forwarding
- Delete/disable the rule that points to your printer *if it’s not there proceed to the next step
- Find an area of the router called: DMZ and ensure this isn’t pointing to your printer either.
Quick tip.. Change your printer password
You can set a password to prevent unauthorised users from remotely configuring the printer or viewing printer settings from the embedded web server (EWS). Once set, this password is required to change or view many printer settings from the EWS.
For consumer HP OfficeJet products, you may need to assign a password by going to:
- Settings
- Security
- Password Settings
Can’t see the port forward or DMZ rule.. Your router might be vulnerable/hacked too!
Our blog has been booming with hits, emails and comments on this topic. If your router is more than 3 years old, never been updated or has a known exploit it might be safer to simply replace your router if you can’t see the rules in there. If this is the case we’ve linked the firewall router we recommend to our clients, this works with ADSL, VDSL and ethernet fibre.
Check our blog on how to improve your printer security
Update: New messages confirm its port 9100…
stackoverflowin the hacker god has returned, your printer is part of a flaming botnet, operating on putin’s forehead utilising BTI’s (break the internet) complete infrastructure.
hacked
hacked
lol just, kidding
For the love of god please close this port, skid.
stackoverflowin/stack the almighty,
hacker god has returned to his throne,
as the greatest memegod. Your printer is part of a flaming bonnet.
–> YOUR PRINTER HAS BEEN PWND’D <–
There’s even a box with 9100 written on it! (Big clue).
Also close port 9100, 361, 515, 8080, 80 and 443 if open
Did this happen to you? We’d love to hear your experiences.
Are you concerned about your computer security? Check out our blog on how to make your computer virtually unhackable.
So what if I need to forward port 9100 to do my printing?
Are you saying I’m SOL?
You could change the external port to something else and use nat to translate it back to 9100 or depending on your router/firewall you might be able to open 9100 to just the IP your sending from. The ideal situation is to use a VPN for secure printing over the internet. Hope this helps!
Obfuscation(changing the number) is not real security. Any attacker worth his salt can get past that.
Just use a different port. VPN would be better, but a little overkill if you’re not paranoid.
OMG – HP needs to help us.
It’s affecting many people.
It’s not HP’s fault. It’s your router like the article said.
Nothing here worked on my router. The router/modem is from AT&T, brand Arris, model NVG510. I got a partial message from a printout yesterday, but today I came in to see the full page printed like you showed. How can I fix this but keep printer wifi access? My Epson Workforce 840 doesn’t have a password option. Any help would be appreciated.
It’s sad this hacker thinks he is a whitehat based on his twitter account description.
This is a guide for your router that will take you to the port forwarding section: https://portforward.com/motorola/nvg510/ can you visit this part and confirm it is blank?
I have a Motorola nvg router and found no rule in the NAT section. Could not locate DMZ setting. And my HP 7610 does not have a password option.
What can I do to fix this?
I’ve been looking into this and the NVG has a known vulnerability that enables a backdoor to the device. This could have been exploited. Our advice would be to call your Internet provider and request a new router or if it’s your own replace as soon as possible. We’ve resolved this issue for customers in the UK and I can assure you it’s very likely to be the router firewall. This provides the security between all your home devices and the internet. If breached most devices would normally have a password, antivirus software and personal firewall. This attack works because a typical printer is available for anyone to print once they have passed the firewall. Hope this is useful to you.
This has been happening for nearly 2 weeks now…started with racist spewings from Samiz.dat. A couple of days of that were followed by random messages a few times a day that print across the top of one page. It’s driving me crazy!!
In August 2016 there was something going around with printers with port 9100 open printing Nazi propaganda! Closing this port will resolve the issue.
Got hit with this, printer is eStudio Toshiba357 and we have a managed firewall from ATT so we have no control, but they were never asked to nat that printer on 9100. I spoked with tech from printer company and they said impossible, I asked if they communicate somehow and they said they have something set up to send counter info to Toshiba but could not elaborate, I turned off something call IPP which had two URLs listed, when I went to those URLs before turning of I received a Not Found message in bold letters, after runing off IPP I got the standard IE message that website could not be found, so something was there. My question is how did they get to the printer in the first place, internally? I changed the admin password from the default which the printer guys had left that way.
IPP (Internet Printing Protocol) uses port 631. The URLs might have been there for remote printing setup but without further knowledge of these addresses or printer setup it’s difficult to further diagnose. You can always test your network for open ports using this tool: http://www.t1shopper.com/tools/port-scan/
It’s happening to me right now, my Epson printer spitted the tiny robot last night :/
I have this problem, and my router is an apple airport extreme. My printer is an HP Color Laser Jet Pro. I have no idea how to block any port and my internet searches has been fruitless. Can anyone help?
Hi Erin, AirPort Utility > Select the base station > Edit > Network tab > Port Settings. Press the minus button on the open port.
Have airport too … but I can’t see any ports in that section of Network tab.
If that’s the case and it’s a HP you need to turn off eprint.
From the Home screen, touch (HP ePrint), and then touch Settings.
Touch ePrint, and then touch Off.
Thank you! I did not have any ports listed on the network settings, but I was able to turn off HP’s ePrint. Is there anything else I need to do?
the white hat hacker is accessing the printer from http://www.traceip.net/whois/94.102.51.26
I guess he not doing any harm but awaring us that we have left the port open that we should not.
His twitter: https://twitter.com/lmaostack
There’s harm. He disabled my printer. I bought a new one before I could repair the current model with a firmware upgrade. That took time and effort. And now I have a printer coming I don’t need.
I noticed a sheet on printer a day or two ago and thought it might be something my kid was working on. I saw another one this morning waiting in the out tray. He claims he’s done nothing. The 9100 port was open. I closed it. I didn’t follow all your advice, but changed things up on my Epson account. I’ve tested remote printing again to make sure I can still print even though port closed. Need to test all PC’s in my home too. Is there other than starting fresh with factory defaults you recommend? Printer is Epson WF-2540
That’s all you should need to do!
I have an apple router. I have checked the NAT port forwarding. I have only one one for Plex and it’s not 9100.
I do have a Brother printer. Symtoms started with my being unable to print. Only when I manually cleared a job in memory that I saw the first part of the message from the hacker. Have factory reset it but it’s still stuck.
Any suggestions?
Do you have Cloud printing enabled on the printer?
Not to my knowledge, and certainly not on purpose. I’ve reinstalled the firmware and now print to it via print-sharing on a USB connected mac. That fixed it, but not until I had wasted time troubleshooting. Oh… and Brother customer support claims it’s impossible to hack the printer…. but I have the printouts to prove otherwise.
Can the “hackers” really do anything else to the printer or just print to it? Is it any different from someone knowing your fax number?
It’s like someone knowing your fax number but there is some potential if someone was to find port 80 open on a printer with a default password. They could for instance take a backup of the printer – this might have scantoemail or network share passwords attached to it. It’s never a good idea to leave ports open.
It’s happening to me right now, my Epson printer spitted the tiny robot last night :/